W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications regarding the HTTP LINK Header

From: Brad Hill <hillbrad@fb.com>
Date: Tue, 18 Nov 2014 01:48:56 +0000
To: Deian Stefan <deian@cs.stanford.edu>, Ilya Grigorik <ilya@igvita.com>, Anne van Kesteren <annevk@annevk.nl>
CC: Brian Smith <brian@briansmith.org>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D08FE515.11D1%hillbrad@fb.com>
I guess this would count as a meaningful CSP violation. (link
rel=stylesheet in header, though haven't looked in to see if it works
without also repetitively listing it in the response body content)   I
thought it might be a case of such, but didn't find documentation for
anything other then prefetching in the header version.

https://code.google.com/p/chromium/issues/detail?id=58456#c15




On 11/17/14, 4:50 PM, "Deian Stefan" <deian@cs.stanford.edu> wrote:

>Brad Hill <hillbrad@fb.com> writes:
>
>> I wonder a bit how much this actually matters for the guarantees we're
>>trying to make for CSP?
>>
>> If I prefetch something that is later denied to be included /
>>transcluded into a page via CSP, have I violated the policy?
>>
>> Even if we decide to use CSP for confinement (which it presently makes
>>no strong guarantees of) is link fetching that happens before the
>>instantiation of a resource in the scope of that confinement?
>>
>> I think an example of an actual vulnerability that we would care about
>>addressing would help me reason about this better.
>
>I think you're right, this is not technically a violation of the
>policy. Even in the context of confinement. I think the issue is one
>mistakenly assuming that the CSP applies to all fetching vs. it only
>applying to all subsequent fetches.
>
>Deian

Received on Tuesday, 18 November 2014 01:49:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC